Bug#481177: openssh-server: randomise size of rsa host keys

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#481177: openssh-server: randomise size of rsa host keys
From: Jon Dowland <jon+bts@alcopop.org>
Date: Wed, 14 May 2008 12:25:08 +0100
Message-id: <[🔎] 20080514112508.GA19157@ankh.ncl.ac.uk>
Reply-to: Jon Dowland <jon+bts@alcopop.org>, 481177@bugs.debian.org

Package: openssh-server
Version: 1:4.7p1-9
Severity: wishlist
Tags: patch

Hi,

Given that rainbow tables for vulnerable keys are
predicated on the size of the key, would you consider
randomizing the length of the host RSA key, to protect
against future exploits?

Something like this:

--- debian/openssh-server.postinst~	2008-05-14 11:45:59.000000000 +0100
+++ debian/openssh-server.postinst	2008-05-14 11:48:31.000000000 +0100
@@ -172,12 +172,13 @@
 
 create_keys() {
 	hostkeys="$(host_keys_required)"
+	bits=$(expr 2048 + $(expr $RANDOM % 64))
 
 	create_key "Creating SSH1 key; this may take some time ..." \
 		"$hostkeys" /etc/ssh/ssh_host_key -t rsa1
 
 	create_key "Creating SSH2 RSA key; this may take some time ..." \
-		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa
+		"$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b "$bits"
 	create_key "Creating SSH2 DSA key; this may take some time ..." \
 		"$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa
 }



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-486
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser                3.107             add and remove users and groups
ii  debconf [debconf-2.0]  1.5.21            Debian configuration management sy
ii  dpkg                   1.14.19           package maintenance system for Deb
ii  libc6                  2.7-11            GNU C Library: Shared libraries
ii  libcomerr2             1.40.8-2          common error description library
ii  libkrb53               1.6.dfsg.3-2      MIT Kerberos runtime libraries
ii  libpam-modules         0.99.7.1-6        Pluggable Authentication Modules f
ii  libpam-runtime         0.99.7.1-6        Runtime support for the PAM librar
ii  libpam0g               0.99.7.1-6        Pluggable Authentication Modules l
ii  libselinux1            2.0.59-1          SELinux shared libraries
ii  libssl0.9.8            0.9.8g-10         SSL shared libraries
ii  libwrap0               7.6.q-15          Wietse Venema's TCP wrappers libra
ii  lsb-base               3.2-8             Linux Standard Base 3.2 init scrip
ii  openssh-blacklist      0.1.0             list of blacklisted OpenSSH RSA an
ii  openssh-client         1:4.7p1-9         secure shell client, an rlogin/rsh
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages openssh-server recommends:
ii  xauth                         1:1.0.3-1  X authentication utility

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:

-- 
Jon Dowland
ISS UNIX Team

Reply to:

Follow-Ups:
- Bug#481177: openssh-server: randomise size of rsa host keys
  - From: Colin Watson <cjwatson@debian.org>
- Bug#481177: openssh-server: randomise size of rsa host keys
  - From: Clint Adams <schizo@debian.org>

Prev by Date: Bug#481151: [openssh-server] initscript LSB header in conflict with update-rc.d options
Next by Date: Bug#481177: openssh-server: randomise size of rsa host keys
Previous by thread: Bug#481151: marked as done ([openssh-server] initscript LSB header in conflict with update-rc.d options)
Next by thread: Bug#481177: openssh-server: randomise size of rsa host keys
Index(es):
- Date
- Thread